@metalabel/dfos-protocol 0.11.0 → 0.12.0

package/dist/chain/index.d.ts

@@ -1,5 +1,5 @@
-import { I as IdentityOperation, h as Signer, V as VerifiedIdentity, S as ServiceEntry, b as ContentOperation, c as CountersignPayload, a as ArtifactPayload } from '../schemas-Myod8ES9.js';
-export { A as ARTIFACT_CID_ANCHOR_RE, C as CONTENT_ID_ANCHOR_RE, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_SERVICES_ENTRIES, e as MAX_SERVICES_PAYLOAD_SIZE, f as MultikeyPublicKey, R as RevocationPayload, g as ServicesArray } from '../schemas-Myod8ES9.js';
+import { I as IdentityOperation, i as Signer, V as VerifiedIdentity, S as ServiceEntry, b as ContentOperation, c as CountersignPayload, a as ArtifactPayload } from '../schemas-Bb_9P8_s.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, C as CONTENT_ID_ANCHOR_RE, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_OPERATION_SIZE, e as MAX_SERVICES_ENTRIES, f as MAX_SERVICES_PAYLOAD_SIZE, g as MultikeyPublicKey, R as RevocationPayload, h as ServicesArray } from '../schemas-Bb_9P8_s.js';
 import 'zod';
 
 /** Ed25519 public key multicodec value */

package/dist/chain/index.js

@@ -6,6 +6,7 @@ import {
   CountersignPayload,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
@@ -33,14 +34,14 @@ import {
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   verifyRevocation
-} from "../chunk-SDUOUFTF.js";
+} from "../chunk-J5C4OXL4.js";
 import {
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
   decodeMultikey,
   encodeEd25519Multikey
-} from "../chunk-LQFOBE6X.js";
-import "../chunk-GQOZJKKO.js";
+} from "../chunk-J3XXF6F5.js";
+import "../chunk-4QQ5HK5M.js";
 export {
   ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
@@ -51,6 +52,7 @@ export {
   ED25519_PUB_MULTICODEC,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,

package/dist/{chunk-GQOZJKKO.js → chunk-4QQ5HK5M.js}

@@ -239,7 +239,11 @@ var dagCborCanonicalEncode = async (value) => {
   });
 };
 var MAX_SAFE_CANONICAL_INTEGER = 9007199254740991;
-var assertCanonicalNumbers = (value) => {
+var MAX_CANONICAL_DEPTH = 1024;
+var assertCanonicalNumbers = (value, depth = 0) => {
+  if (depth > MAX_CANONICAL_DEPTH) {
+    throw new Error(`value nesting exceeds max depth ${MAX_CANONICAL_DEPTH}`);
+  }
   if (typeof value === "number") {
     if (!Number.isFinite(value)) {
       throw new Error(`non-finite number is not canonicalizable: ${value}`);
@@ -257,11 +261,11 @@ var assertCanonicalNumbers = (value) => {
     return;
   }
   if (Array.isArray(value)) {
-    for (const entry of value) assertCanonicalNumbers(entry);
+    for (const entry of value) assertCanonicalNumbers(entry, depth + 1);
     return;
   }
   if (value !== null && typeof value === "object") {
-    for (const entry of Object.values(value)) assertCanonicalNumbers(entry);
+    for (const entry of Object.values(value)) assertCanonicalNumbers(entry, depth + 1);
   }
 };
 var parseDagCborCID = (cid) => {

package/dist/{chunk-LQFOBE6X.js → chunk-J3XXF6F5.js}

@@ -5,27 +5,24 @@ import {
   decodeJwsUnsafe,
   verifyJws,
   verifyJwt
-} from "./chunk-GQOZJKKO.js";
+} from "./chunk-4QQ5HK5M.js";
 
 // src/credentials/schemas.ts
 import { z } from "zod";
-var MAX_DID = 256;
-var MAX_AUD = 512;
-var MAX_RESOURCE = 512;
-var MAX_ACTION = 64;
 var MAX_ATT = 32;
 var MAX_PRF = 1;
-var Attenuation = z.strictObject({
-  resource: z.string().min(1).max(MAX_RESOURCE),
-  action: z.string().min(1).max(MAX_ACTION)
+var MAX_CREDENTIAL_SIZE = 262144;
+var Attenuation = z.looseObject({
+  resource: z.string().min(1),
+  action: z.string().min(1)
 });
-var DFOSCredentialPayload = z.strictObject({
+var DFOSCredentialPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("DFOSCredential"),
   /** Issuer DID */
-  iss: z.string().min(1).max(MAX_DID),
+  iss: z.string().min(1),
   /** Audience DID or "*" for public credentials */
-  aud: z.string().min(1).max(MAX_AUD),
+  aud: z.string().min(1),
   /** Attenuations — resource + action pairs */
   att: z.array(Attenuation).min(1).max(MAX_ATT),
   /** Parent credential JWS tokens (for delegation chains) */
@@ -35,13 +32,13 @@ var DFOSCredentialPayload = z.strictObject({
   /** Issued at — unix seconds */
   iat: z.number().int().positive()
 });
-var AuthTokenClaims = z.strictObject({
+var AuthTokenClaims = z.looseObject({
   /** Issuer — the DID proving identity */
-  iss: z.string().max(MAX_DID),
+  iss: z.string(),
   /** Subject — same as iss for auth tokens */
-  sub: z.string().max(MAX_DID),
+  sub: z.string(),
   /** Audience — target relay hostname (prevents cross-relay replay) */
-  aud: z.string().max(MAX_AUD),
+  aud: z.string(),
   /** Expiration — unix seconds, short-lived (minutes) */
   exp: z.number().int().positive(),
   /** Issued at — unix seconds */
@@ -187,6 +184,11 @@ var createDFOSCredential = async (options) => {
   return jwsToken;
 };
 var verifyDFOSCredential = async (jwsToken, options) => {
+  if (jwsToken.length > MAX_CREDENTIAL_SIZE) {
+    throw new CredentialVerificationError(
+      `credential exceeds max size: ${jwsToken.length} > ${MAX_CREDENTIAL_SIZE}`
+    );
+  }
   const decoded = decodeJwsUnsafe(jwsToken);
   if (!decoded) throw new CredentialVerificationError("failed to decode credential JWS");
   if (decoded.header.typ !== "did:dfos:credential") {
@@ -372,6 +374,7 @@ export {
   ED25519_PRIV_MULTICODEC,
   encodeEd25519Multikey,
   decodeMultikey,
+  MAX_CREDENTIAL_SIZE,
   Attenuation,
   DFOSCredentialPayload,
   AuthTokenClaims,

package/dist/{chunk-SDUOUFTF.js → chunk-J5C4OXL4.js}

@@ -1,52 +1,46 @@
 import {
+  MAX_CREDENTIAL_SIZE,
   decodeDFOSCredentialUnsafe,
   decodeMultikey,
   matchesResource,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "./chunk-LQFOBE6X.js";
+} from "./chunk-J3XXF6F5.js";
 import {
   createJws,
   dagCborCanonicalEncode,
   decodeJwsUnsafe,
   generateIdNoPrefix,
   verifyJws
-} from "./chunk-GQOZJKKO.js";
+} from "./chunk-4QQ5HK5M.js";
 
 // src/chain/schemas.ts
 import { z } from "zod";
-var MAX_KEY_ID = 64;
-var MAX_PUBLIC_KEY_MULTIBASE = 128;
-var MAX_CID = 256;
-var MAX_NOTE = 256;
-var MAX_KEYS_PER_ROLE = 16;
-var MAX_DID = 256;
-var MAX_SERVICE_ID = 64;
-var MAX_SERVICE_TYPE = 64;
-var MAX_SERVICE_STRING = 512;
+var MAX_KEYS_PER_ROLE = 256;
 var MAX_RELATION = 64;
-var MAX_SERVICES_ENTRIES = 16;
-var MAX_SERVICES_PAYLOAD_SIZE = 8192;
-var MultikeyPublicKey = z.strictObject({
-  id: z.string().max(MAX_KEY_ID),
+var MAX_SERVICES_ENTRIES = 256;
+var MAX_SERVICES_PAYLOAD_SIZE = 32768;
+var MAX_OPERATION_SIZE = 65536;
+var MultikeyPublicKey = z.looseObject({
+  id: z.string(),
   type: z.literal("Multikey"),
-  publicKeyMultibase: z.string().max(MAX_PUBLIC_KEY_MULTIBASE)
+  publicKeyMultibase: z.string()
 });
 var CONTENT_ID_ANCHOR_RE = /^[2346789acdefhknrtvz]{31}$/;
 var ARTIFACT_CID_ANCHOR_RE = /^baf[a-z2-7]{20,}$/;
 var ServiceEntry = z.object({
-  id: z.string().min(1).max(MAX_SERVICE_ID),
-  type: z.string().min(1).max(MAX_SERVICE_TYPE)
+  id: z.string().min(1),
+  type: z.string().min(1)
 }).catchall(z.unknown()).superRefine((entry, ctx) => {
   if (entry.type === "DfosRelay") {
     const endpoint = entry["endpoint"];
-    if (typeof endpoint !== "string" || endpoint.length < 1 || endpoint.length > MAX_SERVICE_STRING) {
+    if (typeof endpoint !== "string" || endpoint.length < 1) {
       ctx.addIssue({ code: "custom", message: "DfosRelay requires a non-empty endpoint string" });
     }
   } else if (entry.type === "ContentAnchor") {
     const label = entry["label"];
     const anchor = entry["anchor"];
-    if (typeof label !== "string" || label.length < 1 || label.length > MAX_SERVICE_STRING) {
+    if (typeof label !== "string" || label.length < 1) {
       ctx.addIssue({
         code: "custom",
         message: "ContentAnchor requires a non-empty label string"
@@ -65,8 +59,8 @@ var ServicesArray = z.array(ServiceEntry).max(MAX_SERVICES_ENTRIES).refine(
   "service entry ids must be unique"
 );
 var Iso8601 = z.iso.datetime({ offset: false, precision: 3 });
-var CIDString = z.string().max(MAX_CID);
-var IdentityCreate = z.strictObject({
+var CIDString = z.string();
+var IdentityCreate = z.looseObject({
   version: z.literal(1),
   type: z.literal("create"),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
@@ -77,7 +71,7 @@ var IdentityCreate = z.strictObject({
   services: ServicesArray.optional(),
   createdAt: Iso8601
 });
-var IdentityUpdate = z.strictObject({
+var IdentityUpdate = z.looseObject({
   version: z.literal(1),
   type: z.literal("update"),
   previousOperationCID: CIDString,
@@ -88,7 +82,7 @@ var IdentityUpdate = z.strictObject({
   services: ServicesArray.optional(),
   createdAt: Iso8601
 });
-var IdentityDelete = z.strictObject({
+var IdentityDelete = z.looseObject({
   version: z.literal(1),
   type: z.literal("delete"),
   previousOperationCID: CIDString,
@@ -100,7 +94,7 @@ var IdentityOperation = z.discriminatedUnion("type", [
   IdentityDelete
 ]);
 var VerifiedIdentity = z.strictObject({
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   isDeleted: z.boolean(),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
@@ -108,34 +102,34 @@ var VerifiedIdentity = z.strictObject({
   /** Resolved discovery vocabulary — projection of the winning head's services */
   services: ServicesArray
 });
-var ContentCreate = z.strictObject({
+var ContentCreate = z.looseObject({
   version: z.literal(1),
   type: z.literal("create"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   documentCID: CIDString,
   baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable()
+  note: z.string().nullable()
 });
-var ContentUpdate = z.strictObject({
+var ContentUpdate = z.looseObject({
   version: z.literal(1),
   type: z.literal("update"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   previousOperationCID: CIDString,
   documentCID: CIDString.nullable(),
   baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable(),
+  note: z.string().nullable(),
   /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
-var ContentDelete = z.strictObject({
+var ContentDelete = z.looseObject({
   version: z.literal(1),
   type: z.literal("delete"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   previousOperationCID: CIDString,
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable(),
+  note: z.string().nullable(),
   /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
@@ -144,28 +138,27 @@ var ContentOperation = z.discriminatedUnion("type", [
   ContentUpdate,
   ContentDelete
 ]);
-var MAX_SCHEMA = 256;
 var MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
-var ArtifactContent = z.object({ $schema: z.string().max(MAX_SCHEMA) }).catchall(z.unknown());
-var ArtifactPayload = z.strictObject({
+var ArtifactContent = z.object({ $schema: z.string() }).catchall(z.unknown());
+var ArtifactPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("artifact"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   content: ArtifactContent,
   createdAt: Iso8601
 });
-var CountersignPayload = z.strictObject({
+var CountersignPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("countersign"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   targetCID: CIDString,
   relation: z.string().min(1).max(MAX_RELATION).optional(),
   createdAt: Iso8601
 });
-var RevocationPayload = z.strictObject({
+var RevocationPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("revocation"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   credentialCID: CIDString,
   createdAt: Iso8601
 });
@@ -288,6 +281,11 @@ var verifyIdentityChain = async (input) => {
       }
     }
     const encoded = await dagCborCanonicalEncode(op);
+    if (encoded.bytes.length > MAX_OPERATION_SIZE) {
+      throw new Error(
+        `log[${idx}]: operation exceeds max size: ${encoded.bytes.length} > ${MAX_OPERATION_SIZE}`
+      );
+    }
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
       throw new Error(`log[${idx}]: missing cid in protected header`);
@@ -383,6 +381,9 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
     throw new Error("createdAt must be after last op");
   }
   const encoded = await dagCborCanonicalEncode(op);
+  if (encoded.bytes.length > MAX_OPERATION_SIZE) {
+    throw new Error(`operation exceeds max size: ${encoded.bytes.length} > ${MAX_OPERATION_SIZE}`);
+  }
   const operationCID = encoded.cid.toString();
   if (!decoded.header.cid) throw new Error("missing cid in protected header");
   if (decoded.header.cid !== operationCID) throw new Error("cid mismatch in protected header");
@@ -434,6 +435,18 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
 };
 
 // src/chain/content-chain.ts
+var operationSizeForCap = async (op, fullByteLength) => {
+  const auth = op.authorization;
+  if (typeof auth !== "string") return fullByteLength;
+  if (auth.length > MAX_CREDENTIAL_SIZE) {
+    throw new Error(
+      `authorization credential exceeds max size: ${auth.length} > ${MAX_CREDENTIAL_SIZE}`
+    );
+  }
+  const { authorization: _omit, ...rest } = op;
+  const encoded = await dagCborCanonicalEncode(rest);
+  return encoded.bytes.length;
+};
 var signContentOperation = async (input) => {
   const encoded = await dagCborCanonicalEncode(input.operation);
   const operationCID = encoded.cid.toString();
@@ -557,6 +570,10 @@ var verifyContentChain = async (input) => {
       }
     }
     const encoded = await dagCborCanonicalEncode(op);
+    const opSize = await operationSizeForCap(op, encoded.bytes.length);
+    if (opSize > MAX_OPERATION_SIZE) {
+      throw new Error(`operation exceeds max size: ${opSize} > ${MAX_OPERATION_SIZE}`);
+    }
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
       throw new Error(`log[${idx}]: missing cid in protected header`);
@@ -658,6 +675,10 @@ var verifyContentExtensionFromTrustedState = async (input) => {
     }
   }
   const encoded = await dagCborCanonicalEncode(op);
+  const opSize = await operationSizeForCap(op, encoded.bytes.length);
+  if (opSize > MAX_OPERATION_SIZE) {
+    throw new Error(`operation exceeds max size: ${opSize} > ${MAX_OPERATION_SIZE}`);
+  }
   const operationCID = encoded.cid.toString();
   if (!decoded.header.cid) throw new Error("missing cid in protected header");
   if (decoded.header.cid !== operationCID) throw new Error("cid mismatch in protected header");
@@ -835,6 +856,7 @@ var verifyRevocation = async (input) => {
 export {
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MultikeyPublicKey,
   CONTENT_ID_ANCHOR_RE,
   ARTIFACT_CID_ANCHOR_RE,

package/dist/credentials/index.d.ts

@@ -1,11 +1,22 @@
 import { z } from 'zod';
-import { V as VerifiedIdentity } from '../schemas-Myod8ES9.js';
+import { V as VerifiedIdentity } from '../schemas-Bb_9P8_s.js';
 
+/**
+ * Max byte length of a credential JWS token — the credential's analog of
+ * MAX_OPERATION_SIZE. Credentials are EXEMPT from the 64 KiB operation cap (a
+ * maximum-depth 16-hop delegation chain embeds each parent token in `prf` and
+ * legitimately exceeds it), so they carry their own larger ceiling. Measured
+ * over the serialized leaf token, which contains the entire nested chain, so one
+ * bound caps the whole delegation. A DoS guard on the nested `prf` structure;
+ * generous (a max-depth chain serializes to well under this). VALIDITY-
+ * determining: MUST match the Go reference (maxCredentialSize in jwt.go).
+ */
+declare const MAX_CREDENTIAL_SIZE = 262144;
 /** Single attenuation entry — resource + action pair */
 declare const Attenuation: z.ZodObject<{
     resource: z.ZodString;
     action: z.ZodString;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type Attenuation = z.infer<typeof Attenuation>;
 /** DFOS credential payload — UCAN-style authorization token */
 declare const DFOSCredentialPayload: z.ZodObject<{
@@ -16,11 +27,11 @@ declare const DFOSCredentialPayload: z.ZodObject<{
     att: z.ZodArray<z.ZodObject<{
         resource: z.ZodString;
         action: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     prf: z.ZodDefault<z.ZodArray<z.ZodString>>;
     exp: z.ZodNumber;
     iat: z.ZodNumber;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type DFOSCredentialPayload = z.infer<typeof DFOSCredentialPayload>;
 /** Claims for a DID-signed auth token (relay AuthN) */
 declare const AuthTokenClaims: z.ZodObject<{
@@ -29,7 +40,7 @@ declare const AuthTokenClaims: z.ZodObject<{
     aud: z.ZodString;
     exp: z.ZodNumber;
     iat: z.ZodNumber;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type AuthTokenClaims = z.infer<typeof AuthTokenClaims>;
 
 interface AuthTokenCreateOptions {
@@ -200,4 +211,4 @@ declare class CredentialVerificationError extends Error {
     constructor(message: string);
 }
 
-export { Attenuation, AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, type VerifiedAuthToken, type VerifiedDFOSCredential, type VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain };
+export { Attenuation, AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, MAX_CREDENTIAL_SIZE, type VerifiedAuthToken, type VerifiedDFOSCredential, type VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain };

package/dist/credentials/index.js

@@ -4,6 +4,7 @@ import {
   AuthTokenVerificationError,
   CredentialVerificationError,
   DFOSCredentialPayload,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,
@@ -12,14 +13,15 @@ import {
   verifyAuthToken,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "../chunk-LQFOBE6X.js";
-import "../chunk-GQOZJKKO.js";
+} from "../chunk-J3XXF6F5.js";
+import "../chunk-4QQ5HK5M.js";
 export {
   Attenuation,
   AuthTokenClaims,
   AuthTokenVerificationError,
   CredentialVerificationError,
   DFOSCredentialPayload,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,

package/dist/crypto/index.js

@@ -21,7 +21,7 @@ import {
   signPayloadEd25519,
   verifyJws,
   verifyJwt
-} from "../chunk-GQOZJKKO.js";
+} from "../chunk-4QQ5HK5M.js";
 export {
   JwsVerificationError,
   JwtVerificationError,

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, assertJwsProfile, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
-export { A as ARTIFACT_CID_ANCHOR_RE, a as ArtifactPayload, C as CONTENT_ID_ANCHOR_RE, b as ContentOperation, c as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_SERVICES_ENTRIES, e as MAX_SERVICES_PAYLOAD_SIZE, f as MultikeyPublicKey, R as RevocationPayload, S as ServiceEntry, g as ServicesArray, h as Signer, V as VerifiedIdentity } from './schemas-Myod8ES9.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, a as ArtifactPayload, C as CONTENT_ID_ANCHOR_RE, b as ContentOperation, c as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_OPERATION_SIZE, e as MAX_SERVICES_ENTRIES, f as MAX_SERVICES_PAYLOAD_SIZE, g as MultikeyPublicKey, R as RevocationPayload, S as ServiceEntry, h as ServicesArray, i as Signer, V as VerifiedIdentity } from './schemas-Bb_9P8_s.js';
 export { AnchorKind, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, RECOGNIZED_SERVICE_TYPES, VerifiedArtifact, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, anchorsByLabel, assertServicesWithinCap, classifyAnchor, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, isRecognizedServiceType, relayEndpoints, signArtifact, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
-export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
+export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, MAX_CREDENTIAL_SIZE, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
 import 'multiformats';
 import 'multiformats/cid';
 import 'zod';

package/dist/index.js

@@ -6,6 +6,7 @@ import {
   CountersignPayload,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
@@ -33,7 +34,7 @@ import {
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   verifyRevocation
-} from "./chunk-SDUOUFTF.js";
+} from "./chunk-J5C4OXL4.js";
 import {
   Attenuation,
   AuthTokenClaims,
@@ -42,6 +43,7 @@ import {
   DFOSCredentialPayload,
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,
@@ -52,7 +54,7 @@ import {
   verifyAuthToken,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "./chunk-LQFOBE6X.js";
+} from "./chunk-J3XXF6F5.js";
 import {
   JwsVerificationError,
   JwtVerificationError,
@@ -76,7 +78,7 @@ import {
   signPayloadEd25519,
   verifyJws,
   verifyJwt
-} from "./chunk-GQOZJKKO.js";
+} from "./chunk-4QQ5HK5M.js";
 export {
   ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
@@ -94,6 +96,8 @@ export {
   JwsVerificationError,
   JwtVerificationError,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_CREDENTIAL_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,

package/dist/{schemas-Myod8ES9.d.ts → schemas-Bb_9P8_s.d.ts}

@@ -2,15 +2,36 @@ import { z } from 'zod';
 
 /** Function that signs a byte array and returns a signature */
 type Signer = (message: Uint8Array) => Promise<Uint8Array>;
-/** Max number of service entries in an identity's services state */
-declare const MAX_SERVICES_ENTRIES = 16;
-/** Max CBOR-encoded size of the services array (bytes) — protocol constant */
-declare const MAX_SERVICES_PAYLOAD_SIZE = 8192;
+/**
+ * Max number of service entries in an identity's services state — a generous
+ * cardinality ceiling on resolution fan-out. Individual entry fields are NOT
+ * separately length-capped (no per-field length zoo): the aggregate byte cap
+ * below, plus the operation-size cap, bound entry size. The op-size cap is the
+ * real arbiter when services and keys are both large.
+ */
+declare const MAX_SERVICES_ENTRIES = 256;
+/**
+ * Max CBOR-encoded size of the services array (bytes) — the SINGLE aggregate that
+ * bounds the services manifest, replacing the former per-field length caps (the
+ * same collapse the op-size cap applied at the operation level). Sized so the
+ * 256-entry ceiling is genuinely reachable with realistic entries.
+ */
+declare const MAX_SERVICES_PAYLOAD_SIZE = 32768;
+/**
+ * Max dag-cbor-encoded size of a single protocol operation payload (bytes) — the
+ * one aggregate validity bound on operation size, measured over the exact bytes
+ * the CID commits to. Generously set (64 KiB) so it never binds a legitimate
+ * proof-layer operation while bounding decode/verify cost (a DoS + determinism
+ * invariant). This is a VALIDITY-determining cap: it MUST be identical across
+ * implementations. Large binary media does NOT travel in operation payloads —
+ * it is referenced, not inlined — so this bound is about proof-layer ops only.
+ */
+declare const MAX_OPERATION_SIZE = 65536;
 declare const MultikeyPublicKey: z.ZodObject<{
     id: z.ZodString;
     type: z.ZodLiteral<"Multikey">;
     publicKeyMultibase: z.ZodString;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type MultikeyPublicKey = z.infer<typeof MultikeyPublicKey>;
 /**
  * Anchor target shapes — a ContentAnchor references a STABLE content
@@ -49,23 +70,23 @@ declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     assertKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     controllerKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     services: z.ZodOptional<z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
     }, z.core.$catchall<z.ZodUnknown>>>>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"update">;
     previousOperationCID: z.ZodString;
@@ -73,28 +94,28 @@ declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     assertKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     controllerKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     services: z.ZodOptional<z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
     }, z.core.$catchall<z.ZodUnknown>>>>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"delete">;
     previousOperationCID: z.ZodString;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>], "type">;
+}, z.core.$loose>], "type">;
 type IdentityOperation = z.infer<typeof IdentityOperation>;
 declare const VerifiedIdentity: z.ZodObject<{
     did: z.ZodString;
@@ -103,17 +124,17 @@ declare const VerifiedIdentity: z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     assertKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     controllerKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     services: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
@@ -128,7 +149,7 @@ declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     baseDocumentCID: z.ZodNullable<z.ZodString>;
     createdAt: z.ZodISODateTime;
     note: z.ZodNullable<z.ZodString>;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"update">;
     did: z.ZodString;
@@ -138,7 +159,7 @@ declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     createdAt: z.ZodISODateTime;
     note: z.ZodNullable<z.ZodString>;
     authorization: z.ZodOptional<z.ZodString>;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"delete">;
     did: z.ZodString;
@@ -146,7 +167,7 @@ declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     createdAt: z.ZodISODateTime;
     note: z.ZodNullable<z.ZodString>;
     authorization: z.ZodOptional<z.ZodString>;
-}, z.core.$strict>], "type">;
+}, z.core.$loose>], "type">;
 type ContentOperation = z.infer<typeof ContentOperation>;
 /** Max CBOR-encoded payload size for artifacts (bytes) — protocol constant */
 declare const MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
@@ -159,7 +180,7 @@ declare const ArtifactPayload: z.ZodObject<{
         $schema: z.ZodString;
     }, z.core.$catchall<z.ZodUnknown>>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type ArtifactPayload = z.infer<typeof ArtifactPayload>;
 /**
  * Countersign: standalone witness attestation referencing a target operation by CID.
@@ -177,7 +198,7 @@ declare const CountersignPayload: z.ZodObject<{
     targetCID: z.ZodString;
     relation: z.ZodOptional<z.ZodString>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type CountersignPayload = z.infer<typeof CountersignPayload>;
 /** Revocation: signed credential revocation artifact, gossiped on the proof plane */
 declare const RevocationPayload: z.ZodObject<{
@@ -186,7 +207,7 @@ declare const RevocationPayload: z.ZodObject<{
     did: z.ZodString;
     credentialCID: z.ZodString;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type RevocationPayload = z.infer<typeof RevocationPayload>;
 
-export { ARTIFACT_CID_ANCHOR_RE as A, CONTENT_ID_ANCHOR_RE as C, IdentityOperation as I, MAX_ARTIFACT_PAYLOAD_SIZE as M, RevocationPayload as R, ServiceEntry as S, VerifiedIdentity as V, ArtifactPayload as a, ContentOperation as b, CountersignPayload as c, MAX_SERVICES_ENTRIES as d, MAX_SERVICES_PAYLOAD_SIZE as e, MultikeyPublicKey as f, ServicesArray as g, type Signer as h };
+export { ARTIFACT_CID_ANCHOR_RE as A, CONTENT_ID_ANCHOR_RE as C, IdentityOperation as I, MAX_ARTIFACT_PAYLOAD_SIZE as M, RevocationPayload as R, ServiceEntry as S, VerifiedIdentity as V, ArtifactPayload as a, ContentOperation as b, CountersignPayload as c, MAX_OPERATION_SIZE as d, MAX_SERVICES_ENTRIES as e, MAX_SERVICES_PAYLOAD_SIZE as f, MultikeyPublicKey as g, ServicesArray as h, type Signer as i };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metalabel/dfos-protocol",
-  "version": "0.11.0",
+  "version": "0.12.0",
   "type": "module",
   "description": "DFOS Protocol — Ed25519 signed chain primitives, services, credentials, and verification",
   "license": "MIT",